Scientists have devised a series of novel and inexpensive attacks that can severely disrupt mission-critical global positioning systems relied on by the military and a variety of industrial players, including airlines, mining companies, and operators of hydroelectric plants and other critical infrastructure.

Unlike previous GPS attacks, the one developed by a team of scientists from Carnegie Mellon University and a private navigation company exploits software bugs in the underlying receivers. That allows the attacks to be stealthier and more persistent than earlier exploits, which primarily relied on signal jamming and spoofing. Prototype hardware that cost only $2,500 to build is able to cause a wide variety of GPS devices within a 30 mile radius to malfunction. Because many of those devices are nodes on special networks that make GPS signals more precise, the attacks have the effect of disrupting larger systems used in aviation, military, and critical infrastructure.

The PCSS, or phase-coherent signal synthesizer, that they developed simultaneously receives and transmits civil GPS signals. It carries out many of the same things done by spoofers used in earlier GPS attacks. But instead of merely providing false information designed to compromise the accuracy of the GPS readings, it includes data that exploits weaknesses in the firmware of nearby receivers, many of which use the Internet to share their readings with other machines. The success of the PCSS is the result of an almost complete lack of authentication in the devices that send and receive GPS signals.

"Our findings suggest despite the fact that GPS is an unauthenticated broadcast protocol, current receivers treat any incoming signal as guaranteed correct," the scientists wrote in a research paper. "Worse, receivers often run full OSes with network services. Together, the possibility of RF [radio frequency] and ethernet attacks creates a large attack surface."

The "middle-of-the-earth" attack works by instructing the PCSS to set a satellite's semi major axis to zero. That causes NetRS receivers as far away as 30 miles to use the number as a divisor when calculating the satellite's orbit. As a result, the device goes into an endless reboot loop that persists even after the incorrect data is no longer supplied. The researchers created the following video demonstration of the attack:

GPS demo

In all, the scientists devised attacks that worked on the NetRS and eight other GPS receiver models, including those used by consumers, aviation pilots, and operators of industrial equipment. One such attack had devastating consequences for the Arbiter 1094B Substation Clock used as an accurate time source for equipment in electrical power stations. It used the PCSS to set the time one week beyond the current week but otherwise include all other data sent in a navigation message.

The scientists used the technique to simulate rollover events by alternating between high, low, and medium week numbers, eventually shifting its time by around 100 years. Since the Arbiter showed no ability to compare the settings to internal clock settings, it suffered permanent damage when it was exposed to the exploit.

"Multiple days without power, attempts to change the date through commands over the serial console, and reloading the firmware of the device proved unsuccessful for decrementing the year on the clock, rendering the device practically useless as a sub-microsecond accurate time source," the researchers wrote.

EGADS, no easy fix

Because the attacks exploit bugs in potentially millions of stand-alone devices, it's not possible to roll out a single patch for the GPS vulnerability. The research paper proposes what's called EGADS. Short for Electronic GPS Attack Detection System, it would work as the GPS equivalent to the intrusion detection systems used to detect attacks in enterprise networks. EGADS would use rule-based and anomaly-based components to detect bad values and data that deviates from known almanac data.

Longer term fixes will require engineers to build data-level and OS-level defenses into the GPS receivers they design. In theory, military systems already have a solution in place for these attacks. But in many cases, military systems rely on civilian GPS signals, so they aren't immune, Tyler Nighswander, one of the researchers, told Ars.

Besides Nighswander and David Brumley of Carnegie Mellon, the other researchers who wrote the paper included Brent Ledvina, Jonathan Diamond, and Robert Brumley of Coherent Navigation, which provides GPS services and products. They presented their research at the 19th ACM Conference on Computer and Communications Security in October, but the paper only came to wider attention recently.

Now that GPS has morphed from a limited-purpose positioning system into a ubiquitous trusted source for navigation, position and timing, the failure to fix the vulnerabilities carries serious consequences, they warned.

"The intricate nature of today's GPS devices has created a large attack surface," they wrote. "Previous approaches have treated GPS security as an issue of hardware and signal analysis, but many traditional software security lessons have yet to be learned by GPS manufacturers. Until GPS is secured, life and safety-critical applications that depend upon it are likely vulnerable to attack."

Promoted Comments

GPS is not only used for navigation. I work at an insurance company, and we have dedicated GPS receivers at each of our sites to use the synchronized atomic clocks of the GPS satellites as an NTP source for timing. Financial transactions need to be timestamped correctly, not to mention the network and computers that are transmitting all of that and logging things. The ability to adjust the clock on a GPS system is a big deal, because when our times start skewing more than a few minutes off, network authentication starts breaking, and when we can't accurately determine the order of financial transactions, big government agencies start asking questions.

GPS actually has a long history with commercial airlines. The FAA played a large part in having the government turn off "Selective Availability" which was a false error introduced in GPS to make it less desirable for US enemies who may try using GPS for missile guidance, so that airlines could start actually counting on GPS to be accurate and use it for navigation.

Any commercial airliner will have backup navigation devices (radar and inertial devices), but GPS gets heavily used just because it is so much easier and incredibly accurate. Pilots are required to be able to navigate by alternate means to get their license, but given how rare it is for a GPS to malfunction in normal use, it's hard to say how much practice they have piloting in GPS denied circumstances. Things like autopilot will also rely on GPS because in just about all cases, it is the most accurate tool someone could ask for.

One very concrete example is WAAS (this is a DGPS corrections network similar to the CORS network mentioned in the paper, but developed by the FAA, which actually broadcasts over the air like GPS). From the FAA's website ( http://www.faa.gov/about/office_org/hea ... gnss/waas/ ) "WAAS provides service for all classes of aircraft in all phases of flight - including en route navigation, airport departures, and airport arrivals. This includes vertically-guided landing approaches in instrument meteorological conditions at all qualified locations throughout the NAS."

There is also ADS-B, the GPS-based air traffic control system, which is starting to get rolled out.

So the short of it is: GPS is used pretty heavily in aircraft, though there should be procedures to take in case it breaks.

In normal operation, a $1,000 GPS receiver can replace a $15,000+ atomic clock, or a $30 GPS receiver can act as an always synchronized, no hassle clock. Places that use this include: NTP servers, SCADA equipment, traffic lights(!), some cell phone base stations, utility companies (in the form of PMUs), and a lot more.

cell phone base stations (aka femtocells) also use GPS for E911 purposes, so they really do use the "positioning" part.

One very concrete example is WAAS (this is a DGPS corrections network similar to the CORS network mentioned in the paper, but developed by the FAA, which actually broadcasts over the air like GPS). From the FAA's website ( http://www.faa.gov/about/office_org/hea ... gnss/waas/ ) "WAAS provides service for all classes of aircraft in all phases of flight - including en route navigation, airport departures, and airport arrivals. This includes vertically-guided landing approaches in instrument meteorological conditions at all qualified locations throughout the NAS."

I learned about WAAS recently while investigating external GPS receivers to improve the accuracy of My Tracks for Android for driving in "urban canyon" environments (downtown SF, for example). I recorded a track with a Nexus 4 sitting on the passenger seat (because I didn't have a car dock for it), and was amazed how much the position jumped around due to the buildings, even when stopped at an intersection. A car dock would've helped, but I'm not sure how much (and Nexus 4 supports GLONASS).

I bought a Garmin GLO Bluetooth GPS + GLONASS + WAAS receiver for $99. The same model is sold to pilots for $129 (GLO for Aviation), with the only difference being a 6-month trial to a mapping service for pilots. GPS + WAAS is accurate in real-world testing to ~1m horizontal and vertical position, while GPS alone is only accurate to about 5m on a good day. There are a lot of really cool charts and graphs on the WAAS test team website showing current satellite positions, visibility, and status.

Why is information like this publicly reported? Shouldn't it be fixed before it is even reported to the public? I always worry that public dissemination of exploits like this are dangerous. I can imagine some cyber-terrorist working for a random cause or rogue country reading this article and smiling.

This has been discussed time and time again, but some important points to consider:

1. If this information remained private to the GPS manufacturers, where's the pressure to fix the problem. There are plenty of examples of software developers saying "Well, nobody's using the attacks in the wild, and nobody knows about it, so why bother spending the money to fix it." When the public knows about it, there's at least some pressure on the companies to fix the problem.

2. At least when people know about the floors in the system, they'll be a bit more wary about trusting it.

3. Even if the information was kept private, what's to stop random employees from leaking it?

4. It's foolish to think that someone else couldn't develop the attack independently anyway. If university researcher's can come up with this, then so can engineers working for a nation state. All of this stuff is within the realm of what could be accomplished by a reasonably experienced hobbyist with a bit of time and money on their hands.

Quote:

Most of the article seems like fear-mongering.

If you want to talk about making receivers more fault tolerant, that's fine. But you can do all you want in terms of making the software work better and it won't protect you from someone broadcasting on L1 and turning up the power to saturate your RF front-end and stop you from seeing anything. It doesn't even take that much power.

Denying GPS coverage is not difficult if you are targeting a civilian receiver.

Actually this is significantly more serious than what you're talking about. Sure you can jam GPS signals, but you have to keep transmitting, which makes it easy to trace. As soon as you switch the jammer off, everythings starts working fine again. The researchers behind this paper managed to permanently brick a $19000 piece of equipment simply by transmitting one malformed signal. With suitable signal coverage distance, you could literally do millions of dollars of damage at the press of a button. And it would only take a fraction of a second, so by the time anyone started to try tracing the signal, it would already by done.

GPS is by its nature very disruptable. For that matter, all sat-based navigation is, and probably will always be unless we take extraordinary measures to put high-output power sources in orbit. The power output of a navsat ensures that its signal will be so weak that it can be easily disrupted with any number of medium-tech solutions.

This is ridiculous! One would think that software engineers working on ***GPS*** would take more care than this; especially given that GPS technology originated in the military, and robust mechanisms for calculating position & time correctly and avoiding these errors should have been written into standards published decades ago. Obviously, I've been too optimistic! How can I get a job for one of these companies, fixing this shoddy code?

Airlines using GPS? That's new.. I've heard of ATC being provided using GPS, but that's only where radar coverage isn't available. The only time an airliner uses GPS is when it's on the ground, and even then it's of limited use as initial input values. Otherwise you can just as easily use coordinates provided by the airport since parking positions are well known and fixed. The aircraft positioning is self contained for the most part, because obviously attacks like these have always been possible. Commonly referred to as INS, Inertial Navigation System.

Why do most military GPS systems rely on Civilian signals? This is why.

It is a rule that all military hardware has to have SAASM capability to harden it to spoofing. What you might not realize however, is that SAASM is useless without a crypto key loaded into the GPS unit. What you further might not realize is that most of these keys are kept on paper-tape which must be read through a seriously cold war piece of hardware. This hardware is normally only kept at a couple of bases in any given Theater to protect it from theft/accidental dissemination (if it gets leaked, the SAASM systems are compromised).

The problem is that GPS units get delivered to their Forward Operating Bases (FOBs) directly. To key them, they need to then be brought to the closest base with a key loader which is often 100s of kilometers away. There are literally thousands of GPS systems in country, with old ones being damaged or needing replacement regularly. And in most systems, if the storage battery dies, the key is lost (our systems required a battery removal/reinstallation before first boot in theater to reliably work, so shipping them keyed doesn't work either). This means the vast majority of military GPS in warzones, do not have access to the military GPS signals, nor are the protected from spoofing or jamming. It's kind of scary when you think about it.

While not trying to come across as a Luddite, but it may not be a bad idea to keep up-to-date paper charts and a sextant at hand. Although requiring more time and user skill, they are pretty much impossible to spoof, hack, or take offline...

"Multiple days without power, attempts to change the date through commands over the serial console, and reloading the firmware of the device proved unsuccessful for decrementing the year on the clock, rendering the device practically useless as a sub-microsecond accurate time source," the researchers wrote.

Wait - did they do this on an actual installation, or do they have test power stations sitting around used for testing?

And isn't the FAA talking about going to a GPS-driven anticollision system?Yikes!

This is ridiculous! One would think that software engineers working on ***GPS*** would take more care than this; especially given that GPS technology originated in the military, and robust mechanisms for calculating position & time correctly and avoiding these errors should have been written into standards published decades ago. Obviously, I've been too optimistic! How can I get a job for one of these companies, fixing this shoddy code?

Why do most military GPS systems rely on Civilian signals? This is why.

It is a rule that all military hardware has to have SAASM capability to harden it to spoofing. What you might not realize however, is that SAASM is useless without a crypto key loaded into the GPS unit. What you further might not realize is that most of these keys are kept on paper-tape which must be read through a seriously cold war piece of hardware. This hardware is normally only kept at a couple of bases in any given Theater to protect it from theft/accidental dissemination (if it gets leaked, the SAASM systems are compromised).

The problem is that GPS units get delivered to their Forward Operating Bases (FOBs) directly. To key them, they need to then be brought to the closest base with a key loader which is often 100s of kilometers away. There are literally thousands of GPS systems in country, with old ones being damaged or needing replacement regularly. And in most systems, if the storage battery dies, the key is lost (our systems required a battery removal/reinstallation before first boot in theater to reliably work, so shipping them keyed doesn't work either). This means the vast majority of military GPS in warzones, do not have access to the military GPS signals, nor are the protected from spoofing or jamming. It's kind of scary when you think about it.

Two minutes of reading the Wikipedia article on SAASM shows that this was true for PPS-SM devices, but since 2006 all newly deployed receivers use SAASM which use an encrypted key that can be transmitted via unclassified channels.

Why is information like this publicly reported? Shouldn't it be fixed before it is even reported to the public? I always worry that public dissemination of exploits like this are dangerous. I can imagine some cyber-terrorist working for a random cause or rogue country reading this article and smiling.

Why do most military GPS systems rely on Civilian signals? This is why.

<stuff about stone age GPS key loading>

Given the sensitivity of these subjects, I am going to avoid going into any detail as to what I know; however, I will say that my experience has shown me that there are at least some systems that aren't "stuck in the stone age" as you would be suggesting.

Good lord, that thing is the size of a briefcase and isn't even printed on one board. Looks like it's mostly just logic boards and a big transmitter, so I'd bet it could be shrunk down to the size of, say, an iPad. The fact that it can permanently cripple enterprise-level equipment through a short signal burst is truly terrifying.

Article wrote:

The "middle-of-the-earth" attack works by instructing the PCSS to set a satellite's semi major axis to zero. That causes NetRS receivers as far away as 30 miles to use the number as a divisor ...

Why is information like this publicly reported? Shouldn't it be fixed before it is even reported to the public? I always worry that public dissemination of exploits like this are dangerous. I can imagine some cyber-terrorist working for a random cause or rogue country reading this article and smiling.

It's made public to make people aware that GPS is not 100% secure. That way people will pay attention, which makes them more secure. A false sense of security could do more damage.

Why do most military GPS systems rely on Civilian signals? This is why. [...already criticized stuff..]

I can't speak on authority on this, but what I've heard anecdotally is it isn't military systems that rely on civilian GPS, but that some individual soldiers use self-purchased civilian receivers, because the military units are either too expensive to provide to everyone who wants them, or are out of date in features or ease-of-use. (If you haven't worked with military suppliers or customer before, you have no idea how slow development can be ... or what a -55 to +71 C temperature requirement does to your lightweight electronics packaging.)

I can't speak on authority on this, but what I've heard anecdotally is it isn't military systems that rely on civilian GPS, but that some individual soldiers use self-purchased civilian receivers, because the military units are either too expensive to provide to everyone who wants them, or are out of date in features or ease-of-use. (If you haven't worked with military suppliers or customer before, you have no idea how slow development can be ... or what a -55 to +71 C temperature requirement does to your lightweight electronics packaging.)

Out of curiosity, what's the technical justification for that extreme of an operating temperature range? I can't see e.g. combat operations actually taking place in a non-trivial chunk of that range since humans wouldn't realistically be able to survive either.

Airlines using GPS? That's new.. I've heard of ATC being provided using GPS, but that's only where radar coverage isn't available. The only time an airliner uses GPS is when it's on the ground, and even then it's of limited use as initial input values. Otherwise you can just as easily use coordinates provided by the airport since parking positions are well known and fixed. The aircraft positioning is self contained for the most part, because obviously attacks like these have always been possible. Commonly referred to as INS, Inertial Navigation System.

Airliners have been using GPS for years. Any new 737 or 777 coming off the production line is going to have it, and I'm sure Airbus planes are the same. It gets used in conjunction with IRS, radio navigation, and FMC computed position.

Lots of general aviation aircraft use it now too. Garmin has a number of receivers for civilian aviation use. More and more NDB approaches are being replaced by GPS/RNP approaches as well.

Why do most military GPS systems rely on Civilian signals? This is why.

It is a rule that all military hardware has to have SAASM capability to harden it to spoofing. What you might not realize however, is that SAASM is useless without a crypto key loaded into the GPS unit. What you further might not realize is that most of these keys are kept on paper-tape which must be read through a seriously cold war piece of hardware. This hardware is normally only kept at a couple of bases in any given Theater to protect it from theft/accidental dissemination (if it gets leaked, the SAASM systems are compromised).

The problem is that GPS units get delivered to their Forward Operating Bases (FOBs) directly. To key them, they need to then be brought to the closest base with a key loader which is often 100s of kilometers away. There are literally thousands of GPS systems in country, with old ones being damaged or needing replacement regularly. And in most systems, if the storage battery dies, the key is lost (our systems required a battery removal/reinstallation before first boot in theater to reliably work, so shipping them keyed doesn't work either). This means the vast majority of military GPS in warzones, do not have access to the military GPS signals, nor are the protected from spoofing or jamming. It's kind of scary when you think about it.

Two minutes of reading the Wikipedia article on SAASM shows that this was true for PPS-SM devices, but since 2006 all newly deployed receivers use SAASM which use an encrypted key that can be transmitted via unclassified channels.

That only works if the GPS hardware the SAASM card is inserted into knows how to deal with a Black code. Or there is a clear way to set it into a mode which accepts a black key. We had the GPS system manufacturer working with us (as in on site with us) and we couldn't get a black key to successfully load.

That is to say, you are correct, that should work. However, in our experience it didn't work and we were using a relatively common GPS part. The only way we could successfully load a key was from the paper tape (we did it successfully in CONUS).

Out of curiosity, what's the technical justification for that extreme of an operating temperature range? I can't see e.g. combat operations actually taking place in a non-trivial chunk of that range since humans wouldn't realistically be able to survive either.

I've never seen quite that range (not saying it doesn't exist, we just never had to meet it), but in most cases, the upper and lower extremes are storage temperatures (You don't need to be able to operate it at those temps, just store it long enough for them to cold/hot soak) The inside of a shipping container can get awfully hot for instance. We only ever had to test -20 to 55 operational and 60 or 65 storage if I recall correctly.

I've never seen quite that range (not saying it doesn't exist, we just never had to meet it), but in most cases, the upper and lower extremes are storage temperatures (You don't need to be able to operate it at those temps, just store it long enough for them to cold/hot soak) The inside of a shipping container can get awfully hot for instance. We only ever had to test -20 to 55 operational and 60 or 65 storage if I recall correctly.

Ahh, my mistake, I assumed the OP was referring to operating temperatures. Thanks!

I've often wondered why the military doesn't use public key crypto for GPS. I didn't know about SAASM, turns out it is a hybrid symetric/asymetric encryption system.

Based on a quick read, it seems like a flawed system. I'm not a crypto expert, but GPS signals are extremely low bandwidth, according to Wikipedia 50 bit/s. That is small enough for a pure asymmetric algorithm to decrypt in real time.

At those bitrates, with enough spectrum, you could issue millions of keys. The bandwidth used by 1 HD Television could support tens of thousands of keys. You could give each military device a unique key when it ships from the factory. This would solve the problem of needing to program them in the field.

I can't understand why inertial navigation isn't incorporated in to every UAV. Inertial navigation can not be spoofed. It might not be accurate enough for dropping bombs or missiles, but it was good enough to get the space shuttle in to orbit. There is no excuse for a stealth drone that can't fly itself out of enemy airspace the moment the GPS system doesn't match up with the inertial system.

I've often wondered why the military doesn't use public key crypto for GPS. I didn't know about SAASM, turns out it is a hybrid symetric/asymetric encryption system.

Based on a quick read, it seems like a flawed system. I'm not a crypto expert, but GPS signals are extremely low bandwidth, according to Wikipedia 50 bit/s. That is small enough for a pure asymmetric algorithm to decrypt in real time.

At those bitrates, with enough spectrum, you could issue millions of keys. The bandwidth used by 1 HD Television could support tens of thousands of keys. You could give each military device a unique key when it ships from the factory. This would solve the problem of needing to program them in the field.

I can't understand why inertial navigation isn't incorporated in to every UAV. Inertial navigation can not be spoofed. It might not be accurate enough for dropping bombs or missiles, but it was good enough to get the space shuttle in to orbit. There is no excuse for a stealth drone that can't fly itself out of enemy airspace the moment the GPS system doesn't match up with the inertial system.

Most military GPS systems are not purely GPS. They are hybrid GPS/INS systems which use the relatively infrequent GPS updates (about 1/second) plus their Gyros/accelerometers to generate intermediate solutions anywhere from 10Hz to 100Hz (I've never personally seen faster than 100Hz, but it probably exists somewhere). The problem with pure inertial systems is that they drift and you start getting further and further from where you think you should be.

If you want to talk about making receivers more fault tolerant, that's fine. But you can do all you want in terms of making the software work better and it won't protect you from someone broadcasting on L1 and turning up the power to saturate your RF front-end and stop you from seeing anything. It doesn't even take that much power.

Denying GPS coverage is not difficult if you are targeting a civilian receiver.

I would have thought that the military was well prepared for a GPS outage given that it makes an obvious target in a WW3 scenario. I got the impression that all the serious hardware like ballistic missiles had INS and stellar navigation with cruise using INS and TERCOM which can't be jammed or disrupted. Presumably soldiers are also trained to navigate without GPS even it is less than optimal.

Given how much civilians rely on it though, I'm sure there would be chaos.

I've never seen quite that range, but in most cases, the upper and lower extremes are storage temperatures (You don't need to be able to operate it at those temps, just store it long enough for them to cold/hot soak) The inside of a shipping container can get awfully hot for instance. We only ever had to test -20 to 55 operational and 60 or 65 storage if I recall correctly.

In my experience, the more extreme operating ranges come on vehicle mounted systems (as opposed to handheld systems). The hot end comes from "sitting in a vehicle equipment bay, with the engine on, parked in the middle of a field, in the desert, with full sunlight". The lowest end is more of aircraft equipment requirement... unheated aircraft parts can hit -40 or -50 C, easy ... but people aren't hanging out there, so again, that's not for your 'handheld' GPSr.

Why do most military GPS systems rely on Civilian signals? This is why.

It is a rule that all military hardware has to have SAASM capability to harden it to spoofing. What you might not realize however, is that SAASM is useless without a crypto key loaded into the GPS unit. What you further might not realize is that most of these keys are kept on paper-tape which must be read through a seriously cold war piece of hardware. This hardware is normally only kept at a couple of bases in any given Theater to protect it from theft/accidental dissemination (if it gets leaked, the SAASM systems are compromised).

This is simply not true. Military nav systems do not use GPS data that was not produced with crypto loaded as valid for navigation.

Loading keys is trivial and is regularly done on ships and airplanes while out on deployment.

Most military GPS systems are not purely GPS. They are hybrid GPS/INS systems which use the relatively infrequent GPS updates (about 1/second) plus their Gyros/accelerometers to generate intermediate solutions anywhere from 10Hz to 100Hz (I've never personally seen faster than 100Hz, but it probably exists somewhere). The problem with pure inertial systems is that they drift and you start getting further and further from where you think you should be.

INS does drift, but submarines can go for weeks and longer on just INS without needing a GPS fix. WSN-7s are pretty accurate when used correctly.

Why do most military GPS systems rely on Civilian signals? This is why.

It is a rule that all military hardware has to have SAASM capability to harden it to spoofing. What you might not realize however, is that SAASM is useless without a crypto key loaded into the GPS unit. What you further might not realize is that most of these keys are kept on paper-tape which must be read through a seriously cold war piece of hardware. This hardware is normally only kept at a couple of bases in any given Theater to protect it from theft/accidental dissemination (if it gets leaked, the SAASM systems are compromised).

This is simply not true. Military nav systems do not use GPS data that was not produced with crypto loaded as valid for navigation.

Loading keys is trivial and is regularly done on ships and airplanes while out on deployment.

Sorry, I should have limited my sphere. You are correct in that GPS integrated into a delivered vehicle or on a large platform (like a ship or aircraft) will be keyed. The product more or less ships keyed since it is an integrated product. Edit: Though the spoofing and capture of the American drone by the Iranians would seem to suggest that that particular aircraft was NOT correctly keyed.

However most of the currently in Theater capabilities for ground vehicles which use GPS are bolted on in theater and in that case are rarely keyed correctly since they are shipped by civilian contractors through their military buyers. They don't have access to the keys when they roll them off the factory line. They get accepted at the factory, packaged and shipped into their operational environment. There they are unpacked, bolted onto whatever vehicle or platform they are used on and rarely ever keyed at that point.

I honestly think this is primarily a symptom of the rapid response requirements of the current conflicts. Once units start getting delivered in CONUS, this will change. So let me specify more clearly since I did make a mistake in my original post.

Bolt on upgrades to systems which are deployed onto existing systems in theater that either add or replace GPS capabilities are very rarely keyed. At least in my experience.

Most military GPS systems are not purely GPS. They are hybrid GPS/INS systems which use the relatively infrequent GPS updates (about 1/second) plus their Gyros/accelerometers to generate intermediate solutions anywhere from 10Hz to 100Hz (I've never personally seen faster than 100Hz, but it probably exists somewhere). The problem with pure inertial systems is that they drift and you start getting further and further from where you think you should be.

INS does drift, but submarines can go for weeks and longer on just INS without needing a GPS fix. WSN-7s are pretty accurate when used correctly.

Yes, but WSN-7s are redundant cabinets (and I know how big a cabinet is on a submarine, my first job was in Sonar for Fast Attack subs). And they are expensive (I mean not compared to a submarine, but then most things are cheap compared to a submarine). A GPS/INS combination that is ground vehicle sized is generally much less accurate over time. I'm not saying they are terrible, in fact the numbers can be pretty impressive (1mil/km for instance), but they can definitely matter over time.

One of the authors of the paper, Tyler Nighswander, wrote in an email to me:

"Many military systems will first use the civilian GPS signal and then switch over to the military signal. Or surprisingly if some military receivers can't lock onto the military signal, they sometimes just drop down to the unauthenticated civilian signal. So it's not inaccurate to say that military systems are affected, but in theory the military does already have a solution for these attacks already in place, if they actually used it consistently."

Good lord, that thing is the size of a briefcase and isn't even printed on one board. Looks like it's mostly just logic boards and a big transmitter, so I'd bet it could be shrunk down to the size of, say, an iPad. The fact that it can permanently cripple enterprise-level equipment through a short signal burst is truly terrifying.

what you don't see pictured is the antenna (or array) they used to get that 30 mile range. this is just a signal generator. note the jacks on the right for RF in/out.

by itself, this rackmount device probably has a range of maybe a hundred meters, and if you used it without an antenna load, it'd burn up its transmitters relatively quickly, rendering it useless. if it didn't have its own amplifiers and relied on an external amp/antenna/array, then it wouldn't burn itself out, but it probably wouldn't have more than a one meter range without an antenna.

Why do most military GPS systems rely on Civilian signals? This is why.

It is a rule that all military hardware has to have SAASM capability to harden it to spoofing. What you might not realize however, is that SAASM is useless without a crypto key loaded into the GPS unit. What you further might not realize is that most of these keys are kept on paper-tape which must be read through a seriously cold war piece of hardware. This hardware is normally only kept at a couple of bases in any given Theater to protect it from theft/accidental dissemination (if it gets leaked, the SAASM systems are compromised).

This is simply not true. Military nav systems do not use GPS data that was not produced with crypto loaded as valid for navigation.

Loading keys is trivial and is regularly done on ships and airplanes while out on deployment.

Sorry, I should have limited my sphere. You are correct in that GPS integrated into a delivered vehicle or on a large platform (like a ship or aircraft) will be keyed. The product more or less ships keyed since it is an integrated product.

However most of the currently in Theater capabilities for ground vehicles which use GPS are bolted on in theater and in that case are rarely keyed correctly since they are shipped by civilian contractors through their military buyers. They don't have access to the keys when they roll them off the factory line. They get accepted at the factory, packaged and shipped into their operational environment. There they are unpacked, bolted onto whatever vehicle or platform they are used on and rarely ever keyed at that point.

I honestly think this is primarily a symptom of the rapid response requirements of the current conflicts. Once units start getting delivered in CONUS, this will change. So let me specify more clearly since I did make a mistake in my original post.

Bolt on upgrades to systems which are deployed onto existing systems in theater that either add or replace GPS capabilities are very rarely keyed. At least in my experience.

Fair enough. I only work on the "big" things. The handhelds and - well just about everything used by the Army is unknown to me. I know you can also load crypto on handhelds like DAGR but never did.

Just out of curiosity, does anyone have information to elaborate on the use of GPS by "operators of hydroelectric plants"? I associate hydroelectric power with dams across rivers and they don't seem likely to be moving very far or fast (at least not in normal operation... the occasional flood disaster excepted).